"As of March 24, there were over 350,000 Exchange servers exposing a version of the software that has this vulnerability," writes Tom Sellers, a senior manager at Boston-based Rapid7 Labs, in a blog post.

The vulnerability could allow a remote attacker "to turn any stolen Exchange user account into a complete system compromise," he says. "In many implementations, this could be used to completely compromise the entire Exchange environment - including all email - and potentially all of Active Directory" (see: Why Hackers Abuse Active Directory).

Microsoft addressed the remote-code-execution vulnerability - designated CVE-2020-0688 - via security updates it released on Feb. 11 for all supported versions of Microsoft Exchange. At least at that point, the flaw didn't appear to have been targeted in the wild, the company said. The flaw was reported to Microsoft by an anonymous researcher via Trend Micro's Zero Day Initiative.

"A remote-code-execution vulnerability exists in Microsoft Exchange Server when the server fails to properly create unique keys at install time," Microsoft said in its security alert. "Knowledge of the validation key allows an authenticated user with a mailbox to pass arbitrary objects to be deserialized by the web application, which runs as SYSTEM. The security update addresses the vulnerability by correcting how Microsoft Exchange creates the keys during install."

Security Updates Include Patch

To fix the flaw, Microsoft pushed security updates for four base versions of Exchange:

"On March 24, we used Project Sonar to survey the internet for publicly facing Exchange Outlook Web App - OWA - services," Sellers says. "What we found was that at least 357,629 (82.5 percent) of the 433,464 Exchange servers we observed were known to be vulnerable."

Subsequently, Sellers added a caveat that 35,000 fewer servers might be vulnerable, owing to Microsoft's fix for Exchange 2010 not updating the visible build information, meaning that scans alone could not tell if an Exchange 2010 system had been updated. Instead, organizations will need to manually verify that every such system has the update. Sellers says they should do the same for all Exchange 2013 and newer systems, noting that the build number alone should indicate if the relevant update is in place.

Check for Compromise

Rapid7 also recommends all organizations that use Exchange search for any signs that they have been compromised via this flaw.

"The exploit code that we tested with left log artifacts in the Windows Event Log and the IIS [Internet Information Services] logs on both patched and unpatched servers," Sellers says, noting that the log error message will also name the compromised user account.

"You will see the username of the compromised account name at the end of the log entry," according to Rapid7's Tom Sellers

Because the attack requires a valid Exchange user account to succeed, "any user accounts seen in these exploitation attempts should be considered compromised," Sellers says.

But Wait, There's More

Unfortunately, the Project Sonar scans revealed more widespread problems than a lack of CVE-2020-0688 patching. Notably, Rapid7 researchers found 31,000 Exchange 2010 servers online that had received no updates since 2012, as well as 800 Exchange 2010 servers that have never been updated. It also saw 10,371 Exchange 2007 servers.

"In addition to the high numbers of servers that are missing multiple updates, there is a concerning number of Exchange 2007 and 2010 servers," Sellers says, although he notes that Exchange 2007 is not vulnerable to CVE-2020-0688. Even so, the unsupported operating system long ago stopped receiving security updates, and now has a raft of critical flaws that attackers could exploit. "Exchange 2007 transitioned to 'end of support' status nearly three years ago, on April 11, 2017," he says. "No security updates, bug fixes, time zone updates, etc., are provided after that date."

Exchange 2010 was scheduled to reach end of support on Jan. 14, although that's now been postponed until Oct. 13, 2020. "There are over 166,000 of these servers connected to the internet," Sellers says. "That's a staggering number of enterprise-class mail systems that will be unsupported in a few months."

About the Author

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.asia, you agree to our use of cookies.